I'm running a node application which needs to make calls to a third party API, on behalf of my user, using their own API keys.
API calls only need to be made on behalf of the user while they are logged into my site.
Currently I use bcrypt to hash and compare their password:
bcrypt.hash(req.body.password, 12, function (err, hash) {...
bcrypt.compare(req.body.password, users[req.body.username]['password'], function (err, result) {...
I thought when a user adds their API key to the website I could require their password again, and after validating the password, I could use the encryption method Here to encrypt it (with their plaintext password as the key)
When a user logs in, I could validate their password, decrypt their API key using method from link above (and their password), and store the API key in plain text using express-sessions, ready for making calls on user request.
With this method if the user losses the password they will have to reset their API keys. I'm happy to accept that trade off.
Is this approach safe or is there something I'm overlooking?
